Anonymous says its members should be free to DDOS websites as they please. (Source: Wikimedia Commons)

Anonymous calls Paypal "corrupt" for refusing to support Wikileaks and cooperating with the FBI in arresting members associated with the attacks. (Source: Furious Fanboys)

Anonymous takes credit for an eBay stock drop, failing to recognize that the drop was due to a poor earnings report. (Source: Crescent State Bank)

Group claims drop was due to its boycott of "corrupt" Paypal, says DDOS attacks are not illegal

The hacker group Anonymous has yet again struck out at eBay Inc. (EBAY) subsidiary Paypal.

I. "It's My Party, and I Can DDOS if I Want to"

The large group of international hackers [1][2][3] and internet enthusiasts has been at odds with the e-payment service ever since last year, when it severed funding to Wikileaks citing violations of the terms of service, which forbid funding to be used in support of criminal activity.

Anonymous responded with distributed denial of service attacks. Its thousands of members directed their Low Orbit Ion Cannon (LOIC) programs to spam Paypal's servers with requests, which succeeded in temporarily slowing or crashing Paypal's services.

Now Anonymous and its daughter organization LulzSec [1][2][3][4][5][6][7] [8][9][10][11][12][13][14][15] are calling jointly for a boycott of all Paypal services in response to the arrests. The organization writes:

Many of the already-apprehended Anons are being charged with taking part in DDoS attacks against corrupt and greedy organizations, such as PayPal.

What the FBI needs to learn is that there is a vast difference between adding one's voice to a chorus and digital sit-in with Low Orbit Ion Cannon, and controlling a large botnet of infected computers. And yet both of these are punishable with exactly the same fine and sentence....Quite simply, we, the people, are disgusted with these injustices. We will not sit down and let ourselves be trampled upon by any corporation or government. We are not scared of you, and that is something for you to be scared of. We are not the terrorists here: you are.

In short, Anonymous is arguing that distributed denial of service (DDOS) using the LOIC is a protest, not a cyber attack, and people should be free to DDOS with LOIC as they please (even if it disrupts businesses). Of course they'd likely feel a bit different about the superior DDOS application XerXes, which was employed by a hactivist calling himself th3j35t3r ("The Jester") to take down Anonymous's beloved Wikileaks last year.

The group suggested that they could drop the stock to as low as $20 per share -- a fall of almost a third.

However, such claims seem opportunistic and unrealistic, given that eBay just reported disappointing earnings. While the earnings showed strong growth, earnings per share fell a cent short of the average analyst prediction, leading to the stock decline.

As of yesterday Anonymous was crowing about "tens of thousands" of Paypal accounts being deactivated. If this is accurate, Paypal should hardly be concerned -- it has over 100 million accounts. Of course, thanks to the convenient timing of the stock right after an earnings report, Anonymous can claim credit for the drop.

Surprisingly some news sites, such as NeoWin even believed the rhetoric. The site, apparently oblivious of the earnings disappointment, wrote:

The boycott can be linked with a stock crash of their parent company Ebay which has already dropped ~3%. It’s expected that it will fall even more as more and more people follow the actions of others and deactivate their accounts.

If there's one thing Anonymous may have legitimately done, it's overloading Paypal's account deactivation page. As of yesterday the page was down, though deactivations were proceeding via the service's phone line -- +1-888-221-1161.

This is understandable, though, as the service likely only experiences a small number of deactivations on any given day.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Statements like that, about DDoS attacks not being illegal, just show how completely ignorant of the law some people are. I feel kinda bad for these kids when they grow up and have to live with their criminal record for the rest of their lives.

I agree with you, but how is that different to a peaceful protest in physical form, where people might protest outside a physical bricks and mortar store and put people off going in, thereby losing the company money. This might be illegal now in the US under the patriot act (possibly?), but is still legal in the UK and the rest of the western world.

quote: how is that different to a peaceful protest in physical form, where people might protest outside a physical bricks and mortar store and put people off going in

A physical protest attempts to stop people by spreading a message that convinces them not to shop at Store X, not through physical force. People can still shop at Store X if they don't agree with or don't care about the cause. A DDOS attack attempts to stop people from shopping at Store X, period. No reason given to those turned away and no choice in the matter.

Moreover, an effective physical protest can't really be on store property (else they could be lawfully removed), nor can they really attempt to damage store property (else they could be arrested). A DDOS attack violates store property.

Also Civil Disobedience does not take place anonymously or use stooges to do the work. The hackers who are doing this are anonymous and/ or use zombies (stooges) for their own work. Being in a cause means being known. Ask the ciil rights activists how well anonymous works.

They are not being fired at. They are simply arrested and charged with violating the law. Similar to what happens to protesters who try to block access to the target business instead of simply getting their message heard by shouting at or being seen by those going past the protest.

Of course there are several significant differences between a strike and a DDOS attack as well, the most pertinent being that striking employees cannot legally stop you from crossing a picket line (nor should they be able to), although they can certainly persuade you not to via guilt trip.

actually in practice it has a lot in common with a sit in, where protesters would sit in an institution and refuse to leave through civil disobedience. The main difference is that it happens online. Most DDOS attacks use large armies of "zombied" pcs, but the LOIC is voluntary. I think it should be treated the same as sit ins, which I think will still get you arrested. Point is, if you are doing it for a cause you believe in I can't see how it is necessarily evil.

A DDoS protest is not inherently evil. However a DDoS attack can definitely be done with evil intent.

Most of those ranting about the response to DDoS events are upset because the police and the targets don't think its a lot of harmless fun. Most of the screaming is from those who think that because the individual screamer agrees with the protest the protesters should be immune from reaction by their targets & law enforcement.

If you or others want to start DDoS attacks as Civil Disobedience, then it is also necessary to realize that Civil Disobedience results in enforcement of the laws forbidding the action, unless the law in question is repealed. Real Civil Obedience protesters understand this and so accept jail time as part of their protest.

The problem today is that the concept of CONSEQUENCES isnt taught to kids anymore.

How was I and folks of my older generation taught it?

You went so far with your actions then you got a good thrashing from parents or teacher if you went too far.

That soon taught most of us to think things through and weigh up the potential for a 'misfire'. The 'Pros & Cons' scenario.

"Hang on if I do that I could get into major trouble!"

Essentially it makes you think for a second before you go ahead and do something stupid.

Nowadays a lot of kids are not properly disciplined at home or school so do not learn any boundaries. To them its all fair game. No one is going to stop them. Then they do something that has major issues and its "wahh wahh its not my fault!"

I wouldn't be so quick to dismiss their argument as meritless. The individual requests they make to the server are legal. Then you must believe the aggregrate sum of an unnatural amount of legal requests adds up to illegal activity withouth any other explicitly illegal act?

If they were taking control of computer systems owned by someone else to help perpetrate their attack, then its clearly illegal, but if they are only directing their own systems, I think it might be a bit tougher to prove criminal action.

I think this would be a lot like trying to overload a company's customer service email box or call center with complaints to diminish their ability to effectively serve valid customer requests. It's certainly a nasty form of protest and probably a tortuous act that the company can sue them for, but I'm not sure that it's criminal...